Cryptanalysis of the arbitrated quantum signature protocols 
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As a new model for signing quantum message, arbitrated quantum signature (AQS) has recently 
received a lot of attention. In this paper we study the cryptanalysis of previous AQS protocols 
from the aspects of forgery and disavowal. We show that in these protocols the receiver Bob can 
realize existential forgery of the sender's signature under known message attack. Bob can even 
achieve universal forgery when the protocols are used to sign a classical message. Furthermore, the 
sender Alice can successfully disavow any of her signatures by simple attack. The attack strategies 
are described in detail and some discussions about the potential improvements of the protocols are 
given. Finally we also present several interesting topics in future study on AQS protocols. 
PACS numbers: 03.67.Dd, 03.67.Ac 



I. INTRODUCTION 

Cryptography is the approach to protect data secrecy 
in public environment. As we know, the security of most 
classical cryptosystems is based on the assumption of 
computational complexity and might be susceptible to 
the strong ability of quantum computation |l|, |2| . Fortu- 
nately, this difficulty can be overcome by quantum cryp- 
tography Q. Different from its classical counterpart, 
quantum cryptography is the combination of quantum 
mechanics and cryptography, where the security is as- 
sured by physical principles such as Heisenberg uncer- 
tainty principle and quantum no-cloning theorem. Now 
quantum cryptography has attracted a great deal of at- 
tentions because it can stand against quantum attack. 
Quite a few branches of quantum cryptography have been 
studied in recent years, including quantum key distribu- 
tion (QKD) 0-01, quantum secret sharing (QSS)@J3, 
quantum secure direct communication (QSDC) [lOMl 2j j . 
quantum identity authentication [l3l . Il4| , and so on. 

Message authentication and digital signature are im- 
portant branches of cryptography [l5| . The former pro- 
vides the ability to assure message's origin and integrity. 
It is used to prevent a third party from masquerading as 
the legitimate users or substitute a false message for a 
legitimate one. The latter can provide not only the abil- 
ity of message authentication, but also the function of 
nonrepudiation. It is used mainly to prevent the cheat 
from the legitimate users, including forging the sender's 
signature by the receiver, and repudiating the signature 
by the sender. 

As we know, the quantum nature makes quantum mes- 
sage quite different from classical one. Compared with 
their counterparts in classical cryp tog raphy, the authen- 
tication |16T - [l9j and signature J2(J-[24| of quantum mes- 
sage are more difficult. In Ref. [17] . Barnum et al pointed 
out that if one wants to securely authenticate a quantum 
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message he/she must do a perfect encryption on it. That 
is to say, anyone else can learn nothing about the content 
of an authenticated quantum message. Consequently, in 
a quantum signature protocol, which has the functions 
of authentication, the receiver of a signed quantum mes- 
sage cannot learn anything about the content. However, 
in an application of signature it is generally necessary for 
the receiver to learn something about the content of the 
signed message. As a result, they drew a conclusion that 
signing a quantum message is impossible. 

Though Barnum et al's conclusion put a serious obsta- 
cle for quantum message signature, the study of quan- 
tum signature scheme has not been stopped. In 2002 
Zeng and Keitel proposed a pioneering arbitrated quan- 
tum signature (AQS) protocol, which can be used to sign 
both classical message and quantum one [2(| ■ In this pro- 
tocol, the sender (signer) Alice prepares more than one 
copy of quantum message to be signed so that at least 
one copy among them exists in the signed message in the 
manner of plaintext. Consequently, the receiver (verifier) 
Bob can not only learn the content of the signed quan- 
tum message but also verify the signature with the help 
of the arbitrator Trent, which is not contrary to Barnum 
et al's conclusion. To verify the validity of a signature 
a necessary and important technique, i.e. probabilistic 
comparison of two unknown quantum states [25j , is in- 
troduced in Ref. [2(| ■ This work gave an elementary 
model to sign a quantum message, which overcomes Bar- 
num et al's limit and is feasible in theory. In 2009 Li 
et al presented a Bell-states-based AQS protocol, which 
simplified Zeng et al's protocol by replacing Greenberger- 
Horne-Zeilinger states with Bell ones as the carrier [23j . 
Recently, Zou et al further simplified this protocol achiev- 
ing AQS without entangled state [24[. Both of them still 
preserve the merits in Zeng et al's protocol. 

Cryptanalysis plays an important role in the develop- 
ment of cryptography. It estimates a protocol's security 
level, finds potential loopholes and tries to overcome the 
security issues. As pointed out by Lo and Ko, break- 
ing cryptographic systems was as important as building 
them [261 ] . In the study of quantum cryptography, quite 
a few effective attack strategies have been proposed, such 
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as intercept-resend attack [271 ]. entanglement-swapping 
attack [28 1 [2911 . teleportation attack I30II. d ense-coding 
attack [3lTl33l ]. channel- loss attack [34l 35l|. Denial-of- 
Service (DoS) attack [36l . , Correlation- Extractability 
(CE) attack l38l-lio l. Troian horse attack [ill par- 
ticipant attack [2^ 33l ] , and so on. Understanding those 
attacks will be helpful for us to design new schemes with 
high security. 

When we analyze the security of a digital signature 
protocol, we generally pay our attention to two impor- 
tant security requirements, i.e., the signature should not 
be forged by the attacker (including the receiver) and 
the signer cannot disavow his/her signature. In classi- 
cal cryptography, as far as the forgery is concerned, the 
attacks can be classified into the following three models 
43]. 

1. Key- only attack, where the attacker knows only the 
public verification key. 

2. Known message attack, where the attacker is given 
valid signatures for a variety of messages known by the 
attacker but not chosen by the attacker. 

3. Adaptive chosen message attack, where the attacker 
previously knows signatures on arbitrary messages of the 
attacker's choice. 

Furthermore, the attack generally results in three kinds 
of results, that is, 

1. Universal forgery, which results in the ability to 
forge signatures for any message (also called total break 
if the signing key is obtained). 

2. Selective forgery, which results in a signature on a 
message of the attacker's choice. 

3. Existential forgery, which results in some valid mes- 
sage/signature pair not already known to the attacker. 

In this paper we study the cryptanalysis of AQS pro- 
tocols, and focus on the forgery by the receiver Bob and 
the re pud iation by the signer Alice. Taking protocols in 
Refs. |23l . [24| as examples, we will show that, in the cir- 
cumstance of known message attack, Bob can give lots of 
existential forgeries of Alice's signature. More seriously, 
when the protocols are used to sign a classical message 
Bob can achieve universal forgery of Alice's signature. 
Furthermore, Alice can successfully disavow the signa- 
ture she signed for Bob. Therefore, some improvements 
on these AQS protocols are urgently needed. 

The rest of this paper is organized as follows. In Sec. 
II and Sec. Ill we respectively analyze the security of 
AQS protocols in Refs. [23j and [24|, where the protocols 
are briefly recalled and particular attack strategies are 
demonstrated. Some useful discussions are given in Sec. 
IV, and Sec. V is our conclusion. 



II. ANALYSIS OF THE AQS PROTOCOL WITH 
BELL STATES 

In this section we will introduce quantum one-time pad 
algorithm firstly, which is helpful to understand our at- 
tack strategies. Then the AQS protocol with Bell states 



[23j is described briefly and our security analysis follows. 



A. Quantum one-time pad 

As the analog of classical one-time pad, quantum one- 
time pad (QOTP), also called quantum Vernam cipher 
[43 | . uses classical key bits to encrypt quantum states. 
This cipher plays an important role in AQS protocols 
and it is meaningful for us to make it clear. Boykin and 
Roychowdhury proved that 2n random classical bits are 
both necessary and sufficient for encrypting any unknown 
state of n qubits in an informationally secure manner 
[45l | . Suppose \P) = \Pi) is a quantum message 

composed of n qubits \pi) = ct;|0} and the key is 

K £ {0, l} 2 ". The QOTP encryption E K on the quan- 
tum message can be described by 



\C)=E K \P) 



(1) 



1 = 1 



where k 3 denotes the jth bit of K, and o~ x and a z are 
Pauli operations. The corresponding decryption Dk is 



1.2s- 1 j.2. 



(2) 



where \a) denotes the zth qubit of the ciphcrtext \C). 



B. AQS protocol with Bell states 

The AQS protocol with Bell states [23| is as follows. 
Initializing phase. 

Alice and Bob share a key with the arbitrator Trent, 
i.e. Ka and Kb respectively, and n Bell states \ipi)AB — 
-^75 (1 00) + 1 1 1 ) ) are shared between Alice and Bob. 

Signing phase. 

51. Alice obtains three copies of the quantum message 

\ p ) = ®"=i \Pi) t0 be signed. 

52. Using the key Ka, Alice encrypts one copy of |P) 
into \Ra) where 



\Ra) 



E' Ka |P) 



'M k i\ Pi 



(3) 



Here M k i A = a x when k\, the ith bit of Ka, is 0, while 
M k i A = a z when k\ = l. 

S3. Alice performs Bell measurements on each qubit 
in the second copy of \P) and the corresponding qubit in 
the Bell states, obtaining the measurement result \Ma) — 
®"=i l m A)i where \m A ) are random Bell states. The 
aim of this step is to send the second copy of message to 
Bob by teleportation via the Bell states previously shared 
between them. 
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54. Alice encrypts \Ma) and \Ra) by Ka, obtaining 
the signature \S) — E Ka (\M a ) <8> \Ra)), where E Ka de- 
notes the encryption of QOTP. 

55. Alice sends the signature and the third copy of 
message \S) ® \P) to Bob. 

Verifying phase. 

VI. Bob encrypts the signed message by QOTP, ob- 
taining \Y B ) = E Kb {\S) (g> |P)), and sends it to Trent. 

V2. Trent decrypts the received ciphertext with Kb 
and Ka, obtaining \P), \Ma), and \Ra), and then verifies 
whether \Ra) = E'k a \P) by probabilistic comparison of 
quantum states [25|]. If it is, he sets r = 1, otherwise 
r = 0. 

V3. Trent recovers \S) and \P) (note that the com- 
pared states can be recovered after the comparison if they 
are indeed equal), reads out (and replicates) Alice's mea- 
surement result \Ma), and sends \Ytb) = Ek b {\Ma) ® 
\S) 2> \P) ® \r)) to Bob. Here E Kb denotes the QOTP 
encryption using the key Kb- 

V4. Bob decrypts the received ciphertext and judges 
whether r = 1. If not, he believes the signature is forged 
and stops the protocol. 

V5. According to \Ma), Bob can obtain the second 
copy of quantum message via the telcportation by Alice. 
Then he compares it with the copy received from Trent. 
Bob accepts Alice's signature when they are equal, oth- 
erwise he rejects it. 



C. Analysis of the AQS protocol with Bell states 

Now we analyze how the above protocol achieves the 
functions of digital signature. To show that we begin with 
the role of the arbitrator Trent. In this protocol, Trent 
knows Ka and he can do the comparison whether \Ra) = 
E' Ka \P) in Step V2. When this equation holds, it implies 
that the signed message is really come from Alice because 
others do not know Ka- Note that after the verifying 
phase, all the three copies of quantum messages will be 
transmitted to Bob and Trent will have none of them. 
Furthermore, Trent does not know the content of the 
quantum message because he cannot read it owing to its 
quantum feature. Therefore, by sending his judgement 
result r to Bob, Trent can only tell Bob whether this 
signed message originated from Alice. That is to say, if 
r = 1, Trent ensures that Alice sent a certain quantum 
message (to Bob) but the content is unknown to him. 

Based on the above analysis, there must be a way for 
Trent to resolve disputes between Alice and Bob though 
the protocol does not describe it clearly. Otherwise it is 
just like a protocol for message authentication instead of 
digital signature. It is not difficult to imagine the situa- 
tion where dispute appears, that is, Bob says that Alice 
signed a message \V) for him but Alice announces that 
she did not sign such a message for Bob (maybe she in- 
deed singed a message for Bob before but it is not \V)). 
In this condition Trent will require Bob to provide the 



message \V) and Alice's corresponding signature |«S), de- 
crypt |<S) with Ka (obtaining \Ma) and \TIa)), and then 
verify whether \1Za) = E' K \V), which is just like the 
process in Step V2. If the comparison result is positive 
Trent concludes that \T) is indeed Alice's singed message 
and Alice is disavowing her signature. On the contrary, 
Trent believes the signature is forged by Bob if the result 
is negative. 



1. Bob's forgery 

Let us see the possibility for Bob to forge a valid signed 
message of Alice first. As analyzed in Ref. (23[, it looks 
like that Bob can counterfeit Alice's signature only when 
he knows the key Ka because in this condition he can 
provide \V) and \S) = E Ka (\M a ) ® \Ka)) such that 
\1Za) — E'k a -But Ka is the key shared between Alice 
and Trent via QKD, which will be kept unknown to Bob. 
Consequently, it is impossible for Bob to forge Alice's 
signature in this manner. Then an interesting question 
arises, that is, is there other way for Bob to give a valid 
counterfeit of Alice's signature? Equivalently, can Bob 
successfully forge a signature without Ka"! As we know, 
Bob, as the receiver of Alice's signature, indeed possesses 
Alice's valid signature of certain message. Therefore, he 
has the advantage to perform known message attack. In 
the following we will show that Bob can achieve exis- 
tential forgery, where many valid message and signature 
pairs can be found. 

According to the protocol, a valid signature of quan- 
tum message P should be in the form of 

\S) = E Ka (\M a ) ® \Ra)) = E Ka {\M a ) ® E' Ka \P)) 
= E Ka \M a )®E Ka E' Ka \P). (4) 

Because Ek a \Ma) has no contributions for Trent to re- 
solve disputes, the key point is whether Bob can find a 
pair of qubit sequences (\V), \S')) which satisfies the re- 
lation 

\S') = E Ka E' Ka \V). (5) 

Note that now Bob does not know Ka, but he has a 
valid signed message (|P), \S)), which implies he has a 
pair (\P), \S')) satisfying \S') = E Ka E' k JP). Can Bob 
find a valid pair (\V), \S')) from the known (\P), \S'))1 
The answer is yes. In fact if Bob performs one Pauli op- 
eration on each qubit in \P), obtaining \V), and the same 
operation on the corresponding qubit in \S'), obtaining 
|<S'), the pair (\V), |<S')) will be a valid signed message. 

To see it more clearly, suppose \P) — ®" =1 \pi). Then 
\S') is in the form of \S') = ®? =1 where 

\s' i )=E kT i^ A \p i ). (6) 
When Bob performs one Pauli operation Ui on every 
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qubit pair \pi) and |s£), he obtains 

n 

\V) = <8Ui\pi) (7) 

i=l 

71 

\S') = <^U i E kT , tk2jt E> kiA \p i ). (8) 
i=i 

It is not difficult to see that E^h-i k ^ is the encryption 

of QOTP and E[ t is also an encryption with Pauli oper- 

A 

ations. Therefore, the combination of these two encryp- 
tions E,2i-i h 2iE'i is still an encryption via one of four 

K A ' K A K A ' 

Pauli operations {/, a x , <r z , a x a z }, where I is the identity 
operator and a x a z — ia y . According to the commutative 
relations among Pauli operations, we have 

u i E kT\^ E k = ±E kT\^ E k Ui ' (9) 

and then 

n 

\S') =<^(±E kTltk2J E' ki U i \p i )). (10) 
i=i 

Note that every \pi) is a pure state of a single particle, 
which is limited by the probabilistic comparison of two 
unknown quantum states [24]]. In this condition, all the 
minus signs in Eq. (fTU|) are global phases and can be 
omitted. Therefore, we have 

n 

\ s ') = <S> E kT 1 ^ E k u ^ ) = e kaE' Ka W), (ii) 
i=i 

where Eq. (JT]) is used. Obviously, if Bob provides his 
counterfeit (\V), \S')) to Trent it will always pass the ver- 
ification. 

So far we have found a simple way for Bob to achieve 
existential forgery of Alice's signature under known mes- 
sage attack. The attack strategy can be described as 
follows. Suppose Bob has a valid signed message of Al- 
ice, i.e. (I-P), IS)), he performs U (U is any Pauli 
operation) on the qubits in \P), and the same operations 
on the last n qubits in \S) (i.e. \S')). The resulted new 
pair (IT 3 ), \S)) must be a successful forgery. Because each 
Ui can be selected from four Pauli operations at will, at 
least 4™ — 1 different forgeries can be found by Bob [the 
original one (\P),\S)) is not included]. Therefore, Bob 
can select the most preferred message \V) pr from them 
and say that it is the message Alice signed to him. In 
this condition Trent will always stand on the side of Bob 
though Alice is greatly aggrieved. Note that Bob can 
directly perform his attack when he just received Alice's 
signed message, or after the verifying phase, where he 
needs to launch the dispute and require Trent's judge- 
ment. 

Finally, there is another thing which should be empha- 
sized. As was pointed in Ref. [23[, the AQS protocol with 
Bell states can be used to sign both quantum message 
and classical one. It is not difficult to imagine that Bob 
can achieve universal forgery of Alice's signature under 



known message attack if the signed message is classical. 
For example, suppose Bob has a valid signed message of 
Alice, i.e. QP), \S)), where \P) = \p%) is a classi- 

cal message, that is, \pi) = |0) or |1). If Bob wants to 
forge Alice's signature on the message \Q) = \q%) 
= |0) or |1)), he just chooses the Pauli operations 

n n 

(g)CA = (gK lffi9 * (12) 

i=l i=l 

in the above attack, where © represents the addition 
module 2. In this circumstances, as a result, Bob can 
forge Alice's signature on any classical message he wants. 

2. Alice's disavowal 

Above we have shown that Bob can forge Alice's sig- 
nature successfully. Now we consider the other security 
issue in quantum signature, i.e. Alice's disavowal. In fact 
Alice can also cheat in this AQS protocol. That is, Alice 
can successfully disavow any message she ever signed. 

Suppose Alice signs a message (e.g. a contract) \P) = 
®"=i \Pi) according to the steps in the protocol, and 
sends (\P),\S)) to Bob. When Trent sends \Y TB ) = 
E Kb {\M a ) ® \S) ® \P) ® |r}) to Bob in Step V3, Alice 
modifies the states of the ciphertext corresponding to the 
last n qubits in IS*) (i.e. | S") ) , so that the resulted states of 
these qubits (denoted as \S A )) are not a valid signature 
of \P) any more. Note that Alice can find these qubits in 
the ciphertext and then disturb them while leave others 
unchanged because the qubit numbers in \Ma), \S), \P), 
and \r) are determinate, and the encryption of QOTP 
is qubit-by-qubit. Furthermore, Bob cannot discover Al- 
ice's modification on \S') because he does not know Ka- 
Thus when Bob requires Alice to fulfil this contract at a 
later time, Alice can disavow this contract by announcing 
that it is not the one she ever signed or it was illegally 
modified by Bob. In this circumstances, interestingly, 
Trent will stand on the side of Alice. 

This attack is very simple and not difficult to under- 
stand. First, the original signed message (\P), \S)) is 
really signed by Alice and then it will pass the verifica- 
tion of Trent (r—1). Second, because Alice only mod- 
ified 15), which is a ciphertext for Bob and not useful 
for Bob's verification in Step V5, Bob will accept this 
signature without noticing Alice's attack. Third, when 
dispute appears Bob provides (|P), \S A )) to Trent and 
requires his judgement. Obviously the modified signa- 
ture will not pass Trent's verification and consequently 
Trent will agree with Alice, believing that the signature 
was forged by Bob. 

III. ANALYSIS OF THE AQS PROTOCOL 
WITHOUT ENTANGLED STATES 

In Ref. [13| Zou et al improved the above AQS protocol 
to prevent the disavowal of Bob, and proposed a new AQS 
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protocol without using entangled states. Here we takes 
the new protocol as our example to show that it is also 
susceptible to our attacks. Because the protocol and the 
attack strategies are similar with that in Sec. II we will 
describe them just in brief words. 



A. AQS protocol without using entangled states 

The AQS protocol without using entangled states [24| 
is as follows. 

Initializing phase. 

Three keys Kab, Kat, and Kbt are shared between 
Alice and Bob, Alice and Trent, Bob and Trent respec- 
tively. 

Signing phase. 

51. Alice obtains three copies of the quantum message 
\P) = \Pi) an d encrypts each of them into |P') 
using a random number r as the key. 

52. Alice performs the following encryptions 
\Rab) = E Kab \P>), \S a ) = E Kat \P'), and \S) = 
E Kab (\P'), \R AB ), \S a )), and sends \S) to Bob. 

Verifying phase. 

VI. Bob decrypts \S) and sends \Y B ) = 
E Kbt (\P'),\S a )) to Trent. 

V2. Trent decrypts |Yb) and verifies whether \Sa) = 
Ek at \P')- He publishes Vt = 1 and sends \Yg) back to 
Bob if the equation holds, otherwise Vt = 0. 

V3. Bob decrypts \Yb) and verifies whether \Rab) = 
Ek ab \P')- If it is, he publishes Vb = 1, otherwise Vb = 
0. 

V4. When Vt = Vb = 1, Bob accepts Alice's signa- 
ture. In this condition Alice publishes r and Bob recov- 
ers \P) from \P'}. Finally Bob stores (\P), \S A ), r) as the 
signed message. 



B. Analysis of the AQS protocol without using 
entangled states 

Compared with the one with Bell states, this protocol 
mainly changes in two aspects. On the one hand, the 
message copy for Bob is sent in the manner of QOTP 
encryption instead of teleportation, by which Bell states 
are not needed any more. On the other hand, the param- 
eter r is introduced to prevent Bob from obtaining the 
message content before he accepts it. Obviously, the first 
change has no effect on the attack strategies we proposed 
above. Now we analyze how the second change influences 
the attacks. 

As far as Bob's forgery is considered, the situation is 
just like that in the protocol with Bell states. For ex- 
ample, \Sa) is also the encryption of \P') by QOTP, 
and Trent does not know the (quantum) message con- 
tent from beginning to end. Therefore, Bob can forge 



a signature by performing Pauli operations <3)™ = i Ui on 
the qubits in |P'), and the same operations on the qubits 
in \Sa). In fact, introducing the parameter r brings only 
one difference, that is, if Bob wants to forge Alice's signa- 
ture when he just received the signed message, he cannot 
choose suitable ®!Li Ui in order to obtain the fake mes- 
sage he prefers. This is because at that time the message 
\P') is still a ciphertext encrypted by the unknown r. 
But Bob can still forge the signature after the verifying 
phase, where he launches the dispute and requires Trent's 
judgement. At that time r has been published and Bob 
can choose suitable Pauli operations for him. As a result, 
Bob also achieves existential forgery of Alice's signature 
under known message attack. Similar to the situation in 
the protocol with Bell states, when the signed message is 
classical the forgery will become universal. 

It is not difficult to see that introducing the parameter 
r has no influence on Alice's attack, i.e. disavowal. Be- 
cause Trent will sent \Sa) (in the form of ciphertext in 
\Y B )) back to Bob after his judgement, Alice still can dis- 
turb the states of the qubits in it so that (|P), \Sa), r) is 
not a valid signed message any more. Furthermore, this 
attack will not be discovered by Bob because he does not 
know Kat- By this way Alice can successfully disavow 
her signature on any message she ever signed. 



IV. DISCUSSIONS 

Here we analyze the reasons why our attack strategies 
work in AQS protocols, and try to find some ways to 
improve the protocols. Without loss of generality, we 
takes the protocol with Bell states [23j as example to 
give our analysis. 

In our opinion, the following three facts are main rea- 
sons why the AQS protocol is susceptible to our attacks. 

(1) Trent does not know the content of the signed mes- 
sage because it is quantum one. Therefore, when dispute 
appears Trent can only require Bob to provide the signed 
message (|P), \S)) and judges who is cheating by verify- 
ing whether Eq. ([5]) holds. This fact gives the chance for 
Alice or Bob to change the states of \P) and \S) without 
being discovered. 

(2) Though it can achieve high security for data en- 
cryption, QOTP is not so suitable (or enough) for AQS. 
On the one hand, this algorithm encrypts data qubit by 
qubit. Thus Alice and Bob can easily find and modify 
the qubits they want to change in the ciphertext, leaving 
the others undisturbed. On the other hand, Pauli op- 
erations are commute or anticommute with each other, 
which makes that |P) and \S') still can pass Trent's verifi- 
cation after Bob's same Pauli operations on them. There- 
fore, Bob can give many existential forgeries based on one 
legal signed message. 

(3) As the most important evidence when Trent re- 
solves dispute, 1 5") is the ciphertext of |P) by encryption 
with the key Ka, which is unknown to Bob. When Trent 
sends S") back to Bob, it is totally unreadable for Bob 
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and its integrity cannot be verified. This gives Alice the 
chance to intercept and modify |S") without being discov- 
ered, and then successfully disavow her signature later. 

Based on the above analysis, the following two elemen- 
tary manners can be used to improve the AQS protocol. 

(1) After the verification Trent does not send \S') to 
Bob, but stores it in his hand. When dispute appears 
Trent requires Bob to provide and verifies the rela- 
tion between \P) and the corresponding |5") according 
to Eq. <j5j> - By this way both Alice and Bob have no 
chance to modify \S') after Trent's verification. But this 
improvement cannot prevent Bob's forgery when he just 
received the signed message (i.e. before Trent's verifi- 
cation). Furthermore, it also has another disadvantage, 
that is, Trent has to store one signature (like \S')) once 
a verification happened, which greatly increases his bur- 
den. 

(2) Introducing quantum message authentication into 
the AQS protocol to ensure the integrity of the signature 
\S'). For example, before she sends it to Bob Alice en- 
coded \S') with Ka into the authenticated message \S' A ). 
Thus Trent can verify its integrity when he received \S' A ) 
from Bob. Similarly, Trent encoded \S' A ) with Kb into 
the authenticated message \S AB ) before he sends it to 
Bob. Thus when he received it Bob can verify whether 
it was modified by Alice in the transmission. As a re- 
sult, the attacks from both Alice and Bob can be pre- 
vented. Nevertheless, the suitable authentication scheme 
still needs further study [16H191. 

In addition, Hash function T5( is generally accepted to 
prevent existential forgery in classical digital signature. 
If we have Hash function on quantum message, it will be 
an effective way to stand against Bob's forgery. However, 
it cannot prevent Alice's disavowal, and the feasibility of 
such Hash function also needs further study. 

V. CONCLUSIONS 

We analyze the security of AQS protocols [23|, [24| and 
give attack strategies for both Alice and Bob. It is shown 



that Bob can achieve existential forgery of Alice's signa- 
ture under known message attack. More seriously, Bob 
can realize universal forgery when the signed message 
is classical. Furthermore, Alice can disavow any of her 
signatures in these protocols. The strategies are demon- 
strated in detail and some discussions on how to improve 
the protocols are presented. 



As we pointed in Sec. I, the AQS protocols gave an 
elementary model to sign a quantum message. To our 
knowledge, this is the only model which can overcome 
Barnum et al's limit [TtJ now, and is feasible in the- 
ory Though we find the insecurity in AQS protocols, 
the loopholes can be made up by the manners such as 
using quantum message authentication. Therefore, AQS 
protocols are still valuable and deserve to study further. 
In our opinion, the following topics are interesting and 
can be studied in the future. (1) Designing message au- 
thentication scheme which is suitable for AQS protocols. 
(2) Designing AQS protocol where the message can be 
signed and verified by multiparty. (3) As we know, the 
comparison of two unknown quantum states [2o| can only 
give probabilistic result. If Bob changes only few qubits 
(maybe the key qubits) in the signed message, it will not 
be discovered with certain probability. How to resolve 
this problem? (4) In a real channel there will be noises, 
which makes a legal signed message changes in the chan- 
nel and cannot pass the verification. Can AQS protocols 
overcome the influence of noises? (5) The qubits in the 
signed message are limited to pure single-particle state 
in AQS protocols because the states comparison circuit 
will not work as expected when its inputs are two mixed 
states. How to realize the signature of quantum message 
including entangled states? 
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